Background

I have two Windows Server 2012R2 VMs (each with one NIC) listening on port 514 for Syslog UDP messages, which process and then persist the messages to a database. I tried setting up Network Load Balancing to distribute the Syslog traffic between the two of them.

When I tested the configuration by sending one UDP packet from PowerShell to the clustered IP, I noticed that I would get two syslog entries in the database. At first, I thought each host had received and processed the packet separately, so I added a tag to both so they would persist their dedicated IP Address as well. From that I knew I was actually getting two packets from the same host.

Using Wireshark I can confirm that two packets are received by the interface, both for the same IP. But if I send the UDP packet to the dedicated IP, I will only receive one packet. Is this normal behavior for NLB to duplicate a package on the interface? For load balancing, this seems counterproductive because the cluster then has to process two packets for every one packet sent. How do I configure NLB to not give the receiving host two of the same packet?

My NLB Configuration

Cluster Properties:

Cluster IP Address: 192.168.1.100 Subnet Mask: 255.255.255.0 Full Internet name: mysyslogcluster.local Network Address: 03-bf-c0-a8-01-64 Cluster Operation Mode: Multicast Port Rules: 0-513 (disabled), 514 (udp), 515-65535 (disabled) 

Host 1 Properties

IP Address: 192.168.1.1 Subnet Mask: 255.255.255.0 Load Weight: Equal 

Host 2 Properties

IP Address: 192.168.1.2 Subnet Mask: 255.255.255.0 Load Weight: Equal 

Port 514 Rule

Protocols: UDP Filtering mode: Multiple host Affinity: None 

Testing

I have Wireshark installed on both hosts, with the filter: udp port 514

I wrote a PowerShell function to send a Syslog Message to a certain IP and Port

function Get-UdpClient($IP, $Port){ $UDPClient = New-Object System.Net.Sockets.UdpClient $UDPClient.Connect($IP, $Port) return $UDPClient } function Send-Syslog($UDPClient, $facility = 5, $severity = 7, $program = "PSSyslogGen", $hostname = $env:COMPUTERNAME, $category = "TEST", $message){ $priority = ($facility * 8) + $severity $datetime = Get-Date -Format "MMM dd HH:mm:ss" $FSyslogMessageStr = "<{0}>{1} {2} {3} {4}: {5}" -f $priority, $datetime, $hostname, $program, $category, $message $SyslogMessageBytes = [System.Text.Encoding]::ASCII.GetBytes($FSyslogMessageStr) $resp = $UDPClient.Send($SyslogMessageBytes, $SyslogMessageBytes.Length) } 

If I run the command in Powershell on a separate host:

PS C:>$client = Get-UDPClient -IP "192.168.1.100" -Port 514 PS C:>Send-Syslog -UDPClient $client -message "Test NLB" 

I will see in Wireshark:

No. Time Source Destination Protocol Length Info 1 0.000000 192.168.1.200 192.168.1.100 Syslog 115 SYSLOG.DEBUG: Jun 29 12:00:00 PSSyslogGen HOST-NAME TEST: Test NLB 2 0.000077 192.168.1.200 192.168.1.100 Syslog 115 SYSLOG.DEBUG: Jun 29 12:00:00 PSSyslogGen HOST-NAME TEST: Test NLB 

And then if I run it again, but this time to the dedicated IP

PS C:>$client = Get-UDPClient -IP "192.168.1.1" -Port 514 PS C:>Send-Syslog -UDPClient $client -message "Test NLB" 

I'll just get one packet in Wireshark

3 10.384867 192.168.1.200 192.168.1.1 Syslog 115 SYSLOG.DEBUG: Jun 29 12:00:10 PSSyslogGen HOST-NAME TEST: Test NLB 

edit 1

I can confirm that the same behavior is exhibited for TCP packets. I've also tried configuring NLB with Unicast Cluster Operation Mode and experienced the same problem.

Wireshark on the other host shows no traffic.

In sum, I will get 2 packets on a single host through a single IP for every 1 packet sent